A critical security vulnerability has been identified in the Exim mail transfer agent, which could allow threat actors to deliver malicious attachments to users’ inboxes.
This flaw, designated CVE-2024-39929, has a CVSS score of 9.1 out of 10.0 and has been fixed in version 4.98.
“Exim up to version 4.97.1 misparses a multiline RFC 2231 header filename, enabling remote attackers to bypass a $mime_filename extension-blocking mechanism and potentially deliver executable attachments to end users’ mailboxes,” according to a description on the U.S. National Vulnerability Database (NVD).
Exim is a free mail transfer agent used on Unix or Unix-like operating systems, first released in 1995 at the University of Cambridge.
According to attack surface management firm Censys, 4,830,719 of the 6,540,044 public-facing SMTP mail servers are running Exim. As of July 12, 2024, 1,563,085 internet-accessible Exim servers are running a potentially vulnerable version (4.97.1 or earlier).
Most of the vulnerable instances are found in the U.S., Russia, and Canada.
“The vulnerability allows remote attackers to bypass filename extension blocking protection measures and deliver executable attachments directly to users’ mailboxes,” noted Censys. “If a user downloads or runs one of these malicious files, their system could be compromised.”
This implies that targets must click on an attached executable for the attack to succeed. Although there are no reports of active exploitation of the flaw, it is crucial for users to quickly apply the patches to mitigate potential threats.
This development follows nearly a year after project maintainers addressed six vulnerabilities in Exim that could lead to information disclosure and remote code execution.
